Vormetric recently (April 2016) announced the results of the Healthcare Edition of the 2016 Vormetric Data Threat Report (DTR). The report is issued in conjunction with analyst firm 451 Research, reporting responses from 1,100 senior IT security executives at large enterprises worldwide, including over 100 in U.S. healthcare organizations. This edition of the fourth annual report extends earlier findings of the global report, focusing on responses from IT security leaders in healthcare, which details IT security spending plans, perceptions of threats to data, rates of data breach failures and data security stances. Key findings:

96 percent feel vulnerable to data threats

63 percent have experienced a past data breach, with nearly one in five indicating a breach in the last year

At 61 percent, meeting compliance requirements was the top IT security spending priority, with preventing data breaches well behind at 40 percent

Complexity at 54 percent, and lack of staff at 38 percent, are identified as top barriers to adoption of better data security

Bright spots include 60 percent increasing spending to offset threats to data and 46 percent increasing spending on data-at-rest defenses this year

Healthcare data has become a prime target for cybercriminals. With records selling for hundreds of dollars it’s no wonder healthcare professionals feel they are in a cybercriminal’s crosshairs. When asked about concerns with external threat actors, 72 percent chose cybercriminals as a top three selection, 39 percent as the number one selection.

Compliance continues to drive healthcare organizations – But compliance is not enough

With adherence to a myriad of federal and industry regulations as well as compliance standards creating a minimum requirement for doing business, it’s no surprise that IT security professionals in the healthcare field are focused on meeting compliance requirements including; HIPAA-HITECH, EPCS, PCI DSS and FDA CFR Title 21. With this in mind, the top three reasons to secure sensitive data were:

“Compliance is only a step towards Healthcare IT security,” said Garrett Bekker, senior analyst, information security, at 451 Research and the author of the report. “As we learned from data theft incidents at healthcare organizations that were reportedly HIPAA compliant, being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen.”

Times have changed – security strategies, not so much

“IT security professionals are spending heavily on what has worked for them in the past,” said Bekker. “They are continuing to invest in defenses like network and endpoint security offerings that offer little help in protecting data once perimeters have been breached.”

A perception of complexity was identified as the number one barrier to adopting data security widely, selected by 54 percent of healthcare respondents. To some extent, this may be a misconception, as modern data security solutions no longer have the deployment and maintenance problems of older solutions that respondents may be familiar with.

Complex deployments also typically require significant staffing, and ‘lack of staff to manage’ came in as the second highest barrier at 38 percent, followed by lack of organizational buy in at 33 percent and lack of budget at 30 percent.

IoT, Cloud and Big Data challenge healthcare IT security practices

IoT: With more work being done on mobile devices by medical professionals, and more connected wearables for general health and outpatient use, this is becoming a prime area of concern for the future of healthcare. Data needs protecting on the device, in transit as well as within backend repositories and analysis sites.

Their number one concern? Privacy violations related to IoT data (37 percent) and protection of IoT data (36 percent)

Cloud: Healthcare providers have many concerns with cloud usage, but are storing sensitive data at breakneck speed. Top concerns included

Privileged user abuse at the cloud provider level (74 percent)

Meeting compliance requirements (72 percent)

And security breaches at the cloud provider level (69 percent)

Even so, 48 percent will use Software as a Service (SaaS) environments, 52 percent Infrastructure as a Service (IaaS) and 52 percent Platform as a Service (PaaS) resources within the next 12 months.

Encrypting data and maintaining local control over keys was the number one factor that would increase healthcare respondents’ willingness to use public cloud, at 48 percent of responses.

Big Data: 51 percent of respondents were planning to store sensitive data within these environments, but few were worried. In spite of this high level of use with sensitive data, only 15 percent regard big-data implementations as presenting a top three risk for loss of sensitive information.

Getting some things right

A number of positive results indicate that healthcare organizations are taking steps in the right direction to recognize and deal with the problem.

60 percent are increasing spending to protect sensitive data

46 percent, more than any other vertical, plan to invest in data-at-rest defenses this year

46 percent are looking to implement data security to follow industry best practices

Many are planning to implement ‘newer’ security tools that are more effective at protecting data even when other defenses have been compromised. These includes cloud security gateways (39 percent), Security Event and Information Management (SIEM) systems (36 percent), tokenization (35 percent) and data access monitoring (34 percent)

“With the boom in black market sales of healthcare data, the potential for financial harm to patients’ privacy and security from inadequately protected data is growing fast,” said Tina Stewart, vice president of marketing for Vormetric. “Yet compliance requirements that can’t completely safeguard data continue to be the driver for healthcare industry IT security practices. For healthcare organizations, they now have to prioritize the safety of patient data and privacy as part of patient care, and realize that meeting compliance requirements is only a start.”

The research report is available from Vormetric and can be found here.